First, I would like to point out that there are still users which use Outlook 2000. Outlook 2000 can be also used for sending and receiving such messages. Finjan Software response: Finjan Software products are not vulnerable. SurfinGate for E-Mail reassembles fragmented messages, and then performs security analysis and applies content management rules. SurfinShield is installed on end users machines. It gets the reassembled message from the E-Mail client, and proactively monitors the behavior of active content included or attached to the E-Mail message. BTW, CERT has approached Finjan Software, and we've replied. Beyond Security Ltd. probably hasn't received yet the response from CERT. Regards, Menashe Eliezer Manager, Malicious Code Research Center Finjan Software http://www.finjan.com/mcrc Prevention is the best cure! -----Original Message----- From: Aviram Jenik [mailto:aviram@beyondsecurity.com] Sent: Thursday, September 12, 2002 3:45 PM To: bugtraq@securityfocus.com Subject: Bypassing SMTP Content Protection with a Flick of a Button Bypassing SMTP Content Protection with a Flick of a Button ------------------------------------------------------------------------ Article reference: http://www.securiteam.com/securitynews/5YP0A0K8CM.html SUMMARY Forget underground hacking tools. How about using Outlook Express as your attack platform? Beyond Security's SecurITeam has discovered a new method of bypassing many SMTP-based content filter engines. This discovery is alarming since it requires from the attacker nothing more than an Outlook Express client and employs a rarely-used feature called 'message fragmentation and re-assembly' that is available in Outlook Express. Using this feature, an attacker can send e-mails that will bypass most SMTP filtering engines including gateway Virus scanners, content filters, Firewalls that do SMTP checking, etc. Impact: Anyone wishing to bypass SMTP filtering engines can utilize the mentioned method to bypass most types of content checking, and deliver its payload to the end-client without any trouble, whether it is a Virus, Trojan or a file type that is not allowed by the corporate policy. The information has been provided by <mailto:noamr@beyondsecurity.com> Noam Rathaus, Beyond Security Ltd. -- Aviram Jenik Beyond Security Ltd. http://www.BeyondSecurity.com http://www.SecuriTeam.com Know that you're safe: http://www.AutomatedScanning.com
